Three Buddy Problem

Salt Typhoon IOCs, Google floats ‘cyber disruption unit’, WhatsApp 0-click

Three Buddy Problem - Episode 60: We dissect a fresh multi-agency Salt Typhoon advisory (with IOCs and YARA rules!), why it landed late, why the wall of logos matters (and doesn’t), and what’s actually usable for defenders: new YARA, tool hashes, naming ambiguity across reports, the mention of Chinese vendors, and a Dutch note that smaller ISPs were hit. Plus, Costin details his hunting stack and philosophy (historic IOC/malware hoarding, fast pivots, and AI as analyst “wingman”) and a new Chinese APT report that may intersect with LightBasin and the murky PSOA world. We also debate Google’s proposed “cyber disruption unit” versus Microsoft’s DCU (legal vs. “ethical” takedowns, PR, and business models); react to Anthropic’s report on real attacker use of Claude; note Amazon’s APT29 watering-hole disruption; and close on a fresh WhatsApp-to-ImageIO zero-click chain and practical phone OPSEC. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.Links:Transcript (unedited, AI-generated)NSA, Allies Report on Salt TyphoonUK and allies expose China tech companiesJoint Advisory on Salt Typhoon (IOCs)Dutch providers targeted by Salt TyphoonSilent Control: The Hidden Penetration of MystRodXGoogle previews cyber ‘disruption unit'Anthropic report on misuse of Claude AIWhatsApp 0day exploited (iOS attack chain)RationalEdge - Intelligence Meets AccuracyLABScon Speakers 2025

Zero-day reality check: iOS exploits, MAPP in China and the hack-back temptation

Three Buddy Problem - Episode 59: Apple drops another emergency iOS patch and we unpack what that “may have been exploited” language really means: zero-click chains, why notifications help but forensics don’t, and the uncomfortable truth that Lockdown Mode is increasingly the default for high-risk users. We connect the dots from ImageIO bugs to geopolitics, discuss who’s likely using these exploits, why Apple’s guidance stops short, and the practical playbook (ADP on, reboot often, reduce attack surface) that actually works. Plus, we debate Microsoft throttling MAPP access for Chinese vendors, the idea of “letters of marque” for cyber (outsourced offense: smart deterrent or Pandora’s box?), and dissect two case studies that blur APT and crimeware: PipeMagic’s CLFS zero-day and Russia-linked “Static Tundra” riding seven-year-old Cisco bugs. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.Links:Transcript (unedited, AI-generated)Apple bulletin: iOS 18.6.2Apple discloses actively exploited zero-day affecting iOS, iPadOS and macOSUK drops demand for backdoor into Apple encryptionTulsi Gabbard on UK dropping Apple backdoor mandateMicrosoft Curbs Early Notifications for Chinese Firms on Security FlawsKaspersky report on PipeMagicMicrosoft: Dissecting PipeMagic Backdoor FrameworkCisco Talos on Static Tundra FBI advisory on end-of-life network devicesSIM-Swapper, Scattered Spider Hacker Gets 10 YearsQubic Claims Majority Control of Monero Hashrate, Raising 51% Attack FearsState of Statecraft Call for PapersLABScon 2025 Speaker RosterOffensive AI ConThree Buddy Problem: LIVE in Canada

On AI’s future, security’s failures, and what comes next...

Three Buddy Problem - Episode 58: The buddies react to the Brandon Dixon episode, digging into what it’s really like to scale products inside a tech giant, navigate politics, and bring features to millions of machines. Plus, an exploration of the AI cybersecurity gold rush, the promise and hype, and the gamble for startups versus the slow-moving advantage of incumbents. We revisit the Chinese "cyber militia" discussion and the looming AI “dot-com bubble,” the value of owning infrastructure, Nvidia and export controls, China’s manufacturing edge, and the geopolitics of supply chains. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.Links:Transcript (unedited, AI-generated)Live from Black Hat: Brandon DixonPSIRT | FortiGuard LabsSonicWall Firewalls – SSLVPN Recent Threat ActivityCisco CVSS 1.0 RCEMargin Research: Cyber Militias ReduxRussia Is Suspected to Be Behind Breach of Federal Court Filing SystemRussian hackers seized control of Norwegian damPoland foiled cyberattack on big city's water supplyEU Parliament pressing for agreement on chat scanning billLABScon 2025

Live from Black Hat: Brandon Dixon parses the AI security hype

Three Buddy Problem - Episode 57: Brandon Dixon (PassiveTotal/RiskIQ, Microsoft) leads a deep-dive into the collision of AI and cybersecurity. We tackle Google’s “Big Sleep” project, XBOW’s HackerOne automation hype, the long-running tension between big tech ownership of critical security tools and the community’s need for open access. Plus, the future of SOC automation to AI-assisted pen testing, how agentic AI could transform the cyber talent bottlenecks and operational inefficiencies, geopolitical debates over backdoors in GPUs and the strategic implications of China’s AI model development. Cast: Brandon Dixon, Juan Andres Guerrero-Saade, and Ryan Naraine.Links:Transcript (unedited, AI-generated)Brandon Dixon | LinkedInGoogle 'Big Sleep' AI Issue TrackerXBOW - The road to Top 1: How XBOW did itDoes “XBOW AI Hacker” Deserve the Hype?XBOW - Taking the Top Hacker in the US to New Heights: XBOW Raises $75M Series BNVIDIA: No Backdoors. No Kill Switches. No Spyware Nvidia reiterates its chips have no backdoors, urges US against location verificationGoogle: Our Big Sleep agent makes a big leapMicrosoft announces acquisition of RiskIQ RiskIQ attack surface managementBrandon Dixon (SecurityConversations podcast)Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

Rethinking APT Attribution: Dakota Cary on Chinese Contractors and Espionage-as-a-Service

Three Buddy Problem - Episode 56: China-focused researcher Dakota Cary joins the buddies to dig into China’s sprawling cyber ecosystem, from the HAFNIUM indictments and MSS tasking pipelines to the murky world of APT contractors and the ransomware hustle. We break down China’s “entrepreneurial” model of intelligence collection, why public visibility into these threat actors is so hard to get right, and how companies like Microsoft get caught in the geopolitical crossfire. Plus: a deep dive on suspected MAPP leaks and Sharepoint zero-days, Singapore targeted by extremely sophisticated China-nexus hacking group, soft censorship in corporate threat-intel, and whether the U.S. should rethink how it fills its intelligence gaps. Cast: Dakota Cary, Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.Links:Transcript (unedited, AI-generated)Dakota Cary on LinkedInChina’s Covert Capabilities -- Silk Spun From HafniumHAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber EcosystemMicrosoft Probing Whether Chinese Hackers Found Flaw Via MAPP Cybersecurity Law of the People’s Republic of ChinaFrozen in transit: Secret Blizzard’s AiTM campaign against diplomatsFire Ant: Hypervisor-Level Espionage Targeting VMware ESXi & vCenterSingapore actively dealing with ongoing China cyberattackIranians Targeted With Spyware in Lead-Up to War With Israel — all inside Iran and working either in the country’s technology sector or for the government.LABScon 2025Apple in China (book)